NSA was not aware of the recently identified vulnerability in
OpenSSL, the so-called Heartbleed vulnerability, until it was
made public in a private sector cybersecurity report. Reports
that say otherwise are wrong.

Reports that NSA or any other part of the government were aware
of the so-called Heartbleed vulnerability before April 2014 are
wrong. The Federal government was not aware of the recently
identified vulnerability in OpenSSL until it was made public in a
private sector cybersecurity report. The Federal government
relies on OpenSSL to protect the privacy of users of government
websites and other online services. This Administration takes
seriously its responsibility to help maintain an open,
interoperable, secure and reliable Internet. If the Federal
government, including the intelligence community, had discovered
this vulnerability prior to last week, it would have been
disclosed to the community responsible for OpenSSL.

When Federal agencies discover a new vulnerability in commercial
and open source software – a so-called “Zero day” vulnerability
because the developers of the vulnerable software have had zero
days to fix it – it is in the national interest to responsibly
disclose the vulnerability rather than to hold it for an
investigative or intelligence purpose.

In response to the recommendations of the President’s Review
Group on Intelligence and Communications Technologies, the White
House has reviewed its policies in this area and reinvigorated an
interagency process for deciding when to share
vulnerabilities. This process is called the
Vulnerabilities Equities Process. Unless there is a clear
national security or law enforcement need, this process is biased
toward responsibly disclosing such vulnerabilities.

The National Security Council, a policy-making group
that's chaired by President Obama, also sent a
statement to
NBC News:

"The Federal government relies on OpenSSL to protect the
privacy of users of government websites and other online
services," the statement read in part. "If the Federal
government, including the intelligence community, had
discovered this vulnerability prior to last week, it would have
been disclosed to the community responsible for
OpenSSL."